March 31st 2018

Free software activities in March 2018

Here is my monthly update covering what I have been doing in the free software world during March 2018 (previous month):

Reproducible builds

Whilst anyone can inspect the source code of free software for malicious flaws, most software is distributed pre-compiled to end users.

The motivation behind the Reproducible Builds effort is to allow verification that no flaws have been introduced — either maliciously or accidentally — during this compilation process by promising identical results are always generated from a given source, thus allowing multiple third-parties to come to a consensus on whether a build was compromised.

This month I:


Debian LTS

This month I have been paid to work 18 hours on Debian Long Term Support (LTS). In that time I did the following:

  • "Frontdesk" duties, triaging CVEs, reviewing other maintainers' packages, etc.
  • Issued DLA 1299-1 fixing an XML External Entity (XXE) attack in the JGraphX diagramming library.
  • Issued DLA 1304-1 for zsh to fix four vulnerabilities, including a privilege-elevation issue.
  • Issued DLA 1306-1 for the libvips image processing library where attackers could cause a remote denial of service.
  • Issued DLA 1311-1 for the adminer web-based database administration tool. I also updated jessie-backports and proposed updates for stretch (#893803) and jessie (#893804).
  • Issued DLA 1317-1 for the net-snmp server management framework to correct a heap corruption vulnerability.
  • Issued DLA 1318-1 for irssi closing an issue where nicknames could result in out-of-bounds access.


  • python-django (2.0.3-1 & 1.11.11-1) — New upstream security releases.
  • libfiu:
    • 0.95-5 — Add support for cross-compilation. (#892946)
    • 0.95-6 & 0.95-7 — Incorrect attempts to fix a build failure. (#893049)
    • 0.96-1 — New upstream release, fixing the aforementioned build failure caused by Make parellelism.
  • redisearch (1.0.9-1) — New upstream release.

Debian bugs filed

  • postgresql-10: Please update NEWS entry for 10.3-1. (#891898)
  • python-meshio: Installs test files to /usr/lib/python3/dist-packages. (#892019)
  • clang-tidy-7: Missing depends on libclang-common-7-dev. (#891999)
  • lintian: Warn about "old" X-Python3-Version fields? (#892304)
  • todoman: Bogus description in manpage. (#892381)

You can subscribe to new posts via email or RSS.